Best IT Recipes

Is it safe to store passwords in cookies?

RememberMe is checked on my web application homepage. If the user verifies it, I will save the email address and password in cookies. This is my code:

if (this.ChkRememberme != null && this.ChkRememberme.Checked == true) { HttpCookie cookie = new HttpCookie(TxtUserName.Text, TxtPassword.Text); cookie.Expires.AddYears(1); Response.Cookies.Add(cookie); }

What I want to know:

  • Is it safe to store passwords in cookies?
  • What is the right way to do the same?
  • What are the best methods for setting the time for a cookie?
+55
c # passwords asp.net-mvc remember-me
Jan 20 '10 at 9:48
source share
10 answers

It is NOT safe to store passwords in cookies, as they are available in plain text.

A good place to look for answers to Central cookie cookies. For membership, a cookie is usually used with a long line called a token, which is issued from the website when providing a username and password. Learn more about the process you can find in this article. When using forms authentication in ASP.NET, you can configure authentication cookies as follows:

 FormsAuthentication.SetAuthCookie(userName, isPersistanceCookie);

The second parameter is used for the "Remember Me" function - if true, it will create persistent cookies, which will be saved after you leave the site. You can also programmatically manipulate the cookie as follows:

 HttpCookie authCookie = HttpContext.Current.Request.Cookies[FormsAuthentication.FormsCookieName];
+57
Jan 20 '10 at 9:51
source share

No! Do not store passwords in cookies!

In ASP.NET use

 FormsAuthentication.SetAuthCookie(username, true);

The second value of the argument determines whether the cookie is persistent (the value of the flag remember me).

+25
Jan 20 '10 at 9:59
source share

No, not remotely. You have no guarantee that cookies are not saved as plain text (and, in fact, most do implementations save them as plain text).

Remember that “remember me” is inherently unsafe, since anyone who intercepts a cookie gets access to the application. But by exposing the user's password, he takes a step further up the ladder of insecurity. :-) And, probably, makes the user really crazy if they find out.

I use an encrypted cookie string that includes the user account name in combination with a token, which has no other way associated with the user account, except for the table on my server. When the user returns to the site, we decrypt the cookie and check whether this token is really associated with this account. The token (and therefore cookie) changes each automatic login and invalidates the one used for automatic login. (There is a multi-valued connection between tokens and an account that allows you to automatically enter a login from several places. You can limit this if you want.) Tokens will time out if they are not used for X days. (This is done not only by limiting the duration of the cookie, but also on the server side.) There are several other things that I throw there to make life a little difficult for someone trying to decode a cookie (successfully decrypted it) or use a stolen file cookie (which does not require decryption), but it makes no sense to sort out the excess (again, “remember me” is inherently unsafe).

I use this on a site where reliable protection is not really needed (obviously) and has a large number of clients with a dynamic IP address, so I am not trying to block it to an IP address. But even blocking it before IP does not make it safe; it slightly reduces the attack surface.

You might be wondering why I have a cookie username. For direct purposes, "remember me" I would not recommend it there, even if it is encrypted (in the end, this is half the authentication pair in the system with a username and password). I was a little surprised to see it in our cookie, when I looked at the format, reminding myself how we did this for this issue; but then I saw comments explaining why this is and there are reasons not related to “remember me” (not necessarily convincing reasons, in hindsight, but reasons).

In conclusion, the fact that “remember me” is inherently insecure is one of the many reasons why site logs are very important and why you should require a password re-check in the process of allowing changes to important account information (to make it harder for anyone someone who stole the cookie to take responsibility for the account).

+15
Jan 20 '10 at
source share

This is something you should never do, because it is very easy to change the cookie value and send it back to the server. Even saving the "user" in the "naive" in the cookie is not like that, because I could then change it to "the user is registered as" Pandia Chendur ".

What you can do in cookies is to provide customers with information that, even if changed, does not make sense to the server. For example - your favorite color, the layout of the first page, and so on.

You can give them the session identifier that is stored in the cookie because they cannot do anything better for themselves if they change the value to something else (unless they know the actual session identifier from another session).

What Microsoft MSDN says about the use of cookies :

Security issues with cookies are similar to retrieving data from a client. In your application, cookie is another form of user input. and therefore subject to review and spoofing. The user can at least see the data stored in the cookie, since the cookie is available on the user's own computer. The user can also change the cookie until the browser sends it to you.

You should never store sensitive data in a cookie such as usernames, passwords, credit card numbers, etc. on. Do not put anything in a cookie; it should not be in the hands of the user or someone who can somehow steal cookies.

Likewise, be suspicious of the information you receive from the cookie. Do not assume that the data is the same as when you wrote it; use the same guarantees when working with a cookie that you would use the data that the user typed in a web page. The examples earlier in this section showed the HTML encoding of the contents of the cookie before displaying the value on the page, as you would before displaying any information that you receive from users.

Cookies are sent between the browser and the server as plain text, and anyone who can intercept your web traffic should read the cookie. You can set the cookie property, due to which the cookie will be transmitted only if the connection uses the Secure Sockets Layer (SSL) protocol. SSL does not protect the cookie from reading or manipulating the user's computer, but it does not allow cookies to be read while in transit because the cookies are encrypted. For more information, see Security Essentials for the Internet Application.

+9
Jan 20 '10 at 9:56
source share

You cannot store passwords in cookies because they are available in plain text. but if your preferred criteria is to do this or any user requirement, you can do this by encrypting the strings. what can make it safe enough.

but not recommended

+2
Jan 20 '10 at 10:35
source share

I think you need to create a username token and an encrypted authentication string that you will get from Windows Identity. No need to store password in cookie. We have our application, which stores the username and authenticated string

+2
Jan 20 '10 at
source share

Btw, storing passwords is not safe everywhere, both on the client side and on the server side.

You do not need to do this.

+2
Jan 30
source share

What Branislav said, and ...

Besides the fact that you do not place sensitive data in your cookies, you must also protect it by placing at least the following in your web.config:

 <httpCookies httpOnlyCookies="true" />

For details, see How exactly do you configure httpOnlyCookies in ASP.NET?

+1
Apr 09 '13 at 20:05
source share

This is not safe at all. Cookies are stored on the client computer, which can be changed.

0
Jan 20 '10 at 10:00
source share

  • If you use SSL, which you need, if you transfer any secure information, this eliminates the possibility of third-party listening to a third party. This will be the same problem, regardless of storing user credentials in cookies, because when they go to your mail server and send their username and password to the server, I assume that the server hashes it and compares it with the hashed password which you have for this user.

  • Other domains will never be able to read your cookie due to cross-origin, lest there be a problem.

  • So, really the only "security hole" if you want to call it if someone physically gets access to your computer. If this happens, they are likely to receive any information they want from this person anyway. How do you explain when chrome automatically fills in the login form for you, is it safe? I am sure that they do not store it in text form, but it does not even matter. If you go to the page where the chrome is filled in, you can simply copy the password from the form and see that you have a password for these people.

  • It really comes down to how “safe” you need it. I agree that encrypting user information with expiration as a token is the best way to authenticate service calls and provides flexibility. I just don’t see a problem storing credentials to log in to the cookie.

-2
Jul 29 '15 at 12:10
source share


More articles:


All Articles